Protecting the computer against malware attacks exploiting the XCP DRM software

Rootkit: application that uses different low-level methods to conceal files, interposing itself between the operating system kernel and any application used to display or detect those files, for example a file manager or an antivirus. It usually comes in the same package with a trojan component, making possible for the attacker to gain unlimited control of the computer.

Since March 2005, Sony started to release commercial titles featuring the XCP (Extended Copy Protection) technology from the UK antipiracy company First 4 Internet. XCP allows consumers to make three copies of protected discs, but blocks users from making copies of the copies.

In order to achieve the copy protection without allowing the casual user to bypass it, XCP uses a concealing method used in rootkits. When an XCP-protected CD is used on computer running a 32-bit Windows operating system, the setup package for the player software copies several files in the folder:

The folder and its content are hidden from directory and process listing using a driver file called Aries.sys. This makes them invisible to any Windows application, including Windows Explorer and BitDefender. The computers on which the XCP protection was installed are vulnerable to attacks from malware using the $sys$ folder to hide its own files.

The Sony CDs do not include a method to uninstall the concealing driver. Following the discovery of the rootkit technique made by Mark Russinovich (Sysinternals), Sony released a patch on the company's FAQ page which makes visible the hidden directory.

Attempting to manually remove the files installed by the XCP protection can result in a malfunctioning computer and infringe the End-User License Agreement (EULA) in some countries.

Besides Sony, among the First 4 Internet's clients were Universal Music Group, Warner Music Group and EMI, who reportedly used XCP for prerelease material.

BitDefender will detect applications using the XCP rootkit for hidding files from the user or from the antivirus. BitDefender will not detect as spyware or as malware the actual application from Sony. Instead, it will notify the user on the potential risk represented by this application.